Skip to content
Permalink
Browse files

Fix CVE-2015-7368

Information Exposure Through Browser Caching
--------------------------------------------

N B Sri Harsha has discovered that the cached copies of pages visited in
Revive Adserver's Admin UI were still reachable via the browser history after
succesfully logging out. That could potentially expose sensitive information to
unauthorised parties.

CWE: CWE-525
CVSSv2: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
  • Loading branch information
mbeccati committed Sep 28, 2015
1 parent ccbd1cc commit 15aac363749e46ec6806d01734aeaff20116a073
Showing with 7 additions and 4 deletions.
  1. +2 −2 lib/max/Delivery/common.php
  2. +5 −0 www/admin/config.php
  3. +0 −2 www/admin/stats.php
@@ -221,8 +221,8 @@ function MAX_commonSendContentTypeHeader($type = 'text/html', $charset = null)
function MAX_commonSetNoCacheHeaders()
{
MAX_header('Pragma: no-cache');
MAX_header('Cache-Control: private, max-age=0, no-cache');
MAX_header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
MAX_header('Cache-Control: no-cache, no-store, must-revalidate');
MAX_header('Expires: 0');

// Also send default CORS headers
MAX_header('Access-Control-Allow-Origin: *');
@@ -91,6 +91,11 @@ function OA_Start($checkRedirectFunc = null)
$conf = $GLOBALS['_MAX']['CONF'];
global $session;

// Send no cache headers
MAX_header('Pragma: no-cache');
MAX_header('Cache-Control: no-cache, no-store, must-revalidate');
MAX_header('Expires: 0');

// XXX: Why not try loading session data when OpenX is not installed?
//if ($conf['openads']['installed'])
if (OA_INSTALLATION_STATUS == OA_INSTALLATION_STATUS_INSTALLED)
@@ -23,8 +23,6 @@
require_once MAX_PATH . '/lib/OA/Admin/Statistics/Factory.php';
require_once MAX_PATH . '/lib/pear/Date.php';

// No cache
MAX_commonSetNoCacheHeaders();

// The URL for stats pages may include values for "period_preset",
// "period_start" and "period_end". However, the user may have

0 comments on commit 15aac36

Please sign in to comment.
You can’t perform that action at this time.